PRIVACY IMPACT ASSESSMENT QUESTIONNAIRE

The purpose of this document is to summarize the findings of the United States Department of Labor Web Production Environment System (DOL-WPES) Privacy Impact Assessment (PIA). The PIA ensures the confidentiality, integrity, and availability of the information contained within the system. This assessment aims to determine what types of data are collected, stored, or shared and by its nature, whether that data will cause an invocation of the Privacy Act of 1974. This document also assesses the risks for system vulnerability.

The following questions are intended to define the scope of the information requested and/or collected as well as reasons for its collection as part of the program, system, or technology being developed.

• Specify whether the system collects personally identifiable information (PII) on DOL employees, other federal employees, contractors, members of the public (U.S. citizens), foreign citizens, or minor children.
  The system collects personally identifiable information on DOL employees, contractors and members of the public.
  

• What are the sources of the PII in the information system?
• The sources of the PII are from DOL employees, contractors and members of the public.
  

• What is the PII being collected, used, disseminated, or maintained?
• First Name
• Last Name
• Business Address
• Business Email Address
• Business Phone Number
• Residential Address
• Mailing Address
• Personal Phone Number
• Personal E-mail Address
• Employer Identification Number (EIN)/Taxpayer Identification Number (TIN)
• Network logon credentials(e.g., username and password, public key certificate)
• Other: DUNS Number
• How is the PII collected?
  PII is collected through various applications' web forms residing on DOL.gov site and LaborNet intranet.
  

• How will the information be checked for accuracy?
  All of the PII is submitted via web based forms within the applications. Validation techniques implemented within the forms (i.e. form field validation) verifies the data's accuracy before it is captured.
  

• What specific legal authorities, arrangements, and/or agreements defined the collection of information?
  PII collections vary depending upon applications and owner agencies. Each application collects PII data per owner agencies' legal authorities. OPA DEC is only the custodian of the applications.
  

• Privacy Impact Analysis
  The type of PII is limited to general business related information and is managed via administrative interfaces that can only be accessed via the DOL internal network.
  
  Unauthorized Data Access (Confidentiality):
  The data repository, which houses the collected information, is secured and access is tightly controlled. Only authorized system administrators and engineers have access to the data repository.

Data Integrity:
Restrictive account permissions control access to the data repository. Validation techniques implemented within the forms (i.e. form field validation) verifies the data's accuracy before it is captured.

The following questions are intended to outline how long information will be retained after the initial collection.

• How long is information retained in the system?
  PII collections vary depending upon applications and owner agencies. Each application retains PII per owner agencies records management policy; OPA DEC is only the custodian of the applications.
  

• Has the retention schedule been approved by the DOL agency records officer and the National Archives and Records Administration (NARA)?
  PII collections vary depending upon applications and owner agencies. Each application retains PII per owner agencies records management policy; OPA DEC is only the custodian of the applications.
  

• How is it determined that PII is no longer required?
  PII collections vary depending upon applications and owner agencies. Each application retains PII per owner agencies records management policy; OPA DEC is only the custodian of the applications.
  

• What efforts are being made to eliminate or reduce PII that is collected, stored or maintained by the system if it is no longer required?
  PII collections vary depending upon applications and owner agencies. Each application retains PII per owner agencies records management policy; OPA DEC is only the custodian of the applications.
  

• Privacy Impact Analysis
  PII collections vary depending upon applications and owner agencies. Each application retains PII per owner agencies records management policy; OPA DEC is only the custodian of the applications.

The following questions are intended to define the scope of sharing within the Department of Labor.

• With which internal organization(s) is the PII shared, what information is shared, and for what purpose?
  Information regarding PII is shared within the owner agency of the application in the Department of Labor.

• How is the PII transmitted or disclosed?
  PII is not transmitted or disclosed.

• Privacy Impact Analysis
  The privacy risks associated with sharing of this information is mitigated by providing owner agencies' administrative users the access to the PII information. The administrative users will be authenticated using a username and a password.

• With which internal organization(s) is the PII shared, what information is shared, and for what purpose?
  Information regarding PII is shared within the owner agency of the application in the Department of Labor.
  

• How is the PII transmitted or disclosed?
  PII is not transmitted or disclosed.
  

• Privacy Impact Analysis

The privacy risks associated with sharing of this information is mitigated by providing owner agencies' administrative users the access to the PII information. The administrative users will be authenticated using a username and a password.

The following questions are intended to define the content, scope, and authority for information sharing external to DOL which includes federal, state and local government, and the private sector.

• With which external organization(s) is the PII shared, what information is shared, and for what purpose?

The PII is not shared with any external organization.

• Is the sharing of PII outside the Department compatible with the original collection? If so, is it covered by an appropriate routine use in a SORN? If so, please describe. If not, please describe under what legal mechanism the program or system is allowed to share the PII outside of DOL.

None.

• How is the information shared outside the Department and what security measures safeguard its transmission?

The PII is not shared with any external organization.

• Privacy Impact Analysis

Since there is no external sharing, no risks have been identified.

The following questions are directed at notice to the individual of the scope of PII collected, the right to consent to uses of said information, and the right to decline to provide information.

• Was notice provided to the individual prior to collection of PII?
  Yes .There will be customized Privacy statements displayed on DOL.gov Web site and various applications' web forms that collect the PII.
  

• Do individuals have the opportunity and/or right to decline to provide information?
  Yes.
  

• Do individuals have the right to consent to particular uses of the information? If so, how does the individual exercise the right?
  Yes. They have the right to consent to particular use of the information by the prominent display of the privacy statements on DOL.gov Web site and various applications' web forms that collect the PII. These privacy statements clearly explains the purpose for which the collected PII will be used and tells the procedures to follow in order opt-out of information retention
  

• Privacy Impact Analysis
  Individuals are made aware through the Privacy statements displayed on DOL.gov Web site and various applications' web forms that collect the PII. This way the risk associated with individuals being unaware of the collection is mitigated.

The following questions are directed at an individual's ability to ensure the accuracy of the information collected about them.

• What are the procedures that allow individuals to gain access to their information?
  Most applications do not allow individuals to gain access to their information. In the event that an application requires a username and password, users can request that this information be sent to them via email (forgot username/password functionality).

• What are the procedures for correcting inaccurate or erroneous information?
  Instructions are provided within the applications for the data owners. Validation techniques implemented within the forms (i.e. form field validation) verifies the data's accuracy before it is captured.
  

• How are individuals notified of the procedures for correcting their information?
  Not Applicable
  

• If no formal redress is provided, what alternatives are available to the individual?
  The alternative for redress is to use owner agencies' contact information on the web form and contact them.
  

• Privacy Impact Analysis
  No identified risk.